To: 


Of: 
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Information Commissioner's Office 


DATA PROTECTION ACT 1998 


SUPERVISORY POWERS OF THE INFORMATION COMMISSIONER 


MONETARY PENALTY NOTICE 


Papa John’s (GB) Limited 


Papa John’s UK & European Campus, 11 Northfield Drive, Northfield, 
Milton Keynes, MK15 ODQ 


The Information Commissioner (“the Commissioner”) has decided to 
issue Papa John’s (GB) Limited (“Papa John’s”) with a monetary 
penalty under section 55A of the Data Protection Act 1998 (“DPA”). The 
penalty is in relation to a serious contravention of Regulation 22 of the 
Privacy and Electronic Communications (EC Directive) Regulations 2003 
(“PECR”). 


This notice explains the Commissioner's decision. 


Legal framework 


Papa John’s, whose registered office is given above (Companies House 
Registration Number:02569801) is the organisation stated in this 
notice to have transmitted unsolicited communications by means of 
electronic mail to individual subscribers for the purposes of direct 


marketing contrary to regulation 22 of PECR. 


Regulation 22 of PECR states: 


1CO. 


Information Commissioner's Office 


“(1) This regulation applies to the transmission of unsolicited 
communications by means of electronic mail to individual 


subscribers. 


(2) Except in the circumstances referred to in paragraph (3), a person 
shall neither transmit, nor instigate the transmission of, unsolicited 
communications for the purposes of direct marketing by means of 
electronic mail unless the recipient of the electronic mail has 
previously notified the sender that he consents for the time being 
to such communications being sent by, or at the instigation of, the 


sender. 


(3) A person may send or instigate the sending of electronic mail for 


the purposes of direct marketing where— 


(a) that person has obtained the contact details of the recipient 
of that electronic mail in the course of the sale or 
negotiations for the sale of a product or service to that 


recipient; 


(b) the direct marketing is in respect of that person’s similar 


products and services only; and 


(c) the recipient has been given a simple means of refusing 
(free of charge except for the costs of the transmission of 
the refusal) the use of his contact details for the purposes 
of such direct marketing, at the time that the details were 
initially collected, and, where he did not initially refuse the 
use of the details, at the time of each subsequent 


communication. 


(4) A subscriber shall not permit his line to be used in contravention of 


paragraph (2).” 
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Section 122(5) of the Data Protection Act 2018 (“DPA18”) defines 
direct marketing as “the communication (by whatever means) of any 
advertising material which is directed to particular individuals”. This 
definition also applies for the purposes of PECR (see regulation 2(2) 
PECR and paragraphs 430 & 432(6) to Schedule 19 of the DPA18). 


Consent in PECR is now defined, from 29 March 2019, by reference to 
the concept of consent in Regulation 2016/679 (“the GDPR”): 
regulation 8(2) of the Data Protection, Privacy and Electronic 
Communications (Amendments etc) (EU Exit) Regulations 2019. Article 
4(11) of the GDPR sets out the following definition: “‘consent’ of the 
data subject means any freely given, specific, informed and 
unambiguous indication of the data subject's wishes by which he or 
she, by a statement or by a clear affirmative action, signifies 


agreement to the processing of personal data relating to him or her”. 


“Individual” is defined in regulation 2(1) of PECR as “a living individual 


and includes an unincorporated body of such individuals”. 


A “subscriber” is defined in regulation 2(1) of PECR as “a person who is 
a party to a contract with a provider of public electronic 


communications services for the supply of such services”. 


“Electronic mail” is defined in regulation 2(1) of PECR as “any text, 
voice, sound or image message sent over a public electronic 
communications network which can be stored in the network or in the 
recipient’s terminal equipment until it is collected by the recipient and 


includes messages sent using a short message service”. 


The term "soft opt-in" is used to describe the rule set out in in 


Regulation 22(3) of PECR. In essence, an organisation may be able to 


3 


11. 


12. 


13. 


© 
Information Commissioner’s Office 
e-mail or message its existing customers even if they haven't 


specifically consented to electronic mail. The soft opt-in rule can only 


be relied upon by the organisation that collected the contact details. 


Section 55A of the DPA (as applied to PECR cases by Schedule 1 to 
PECR, as variously amended) states: 


“(1) The Commissioner may serve a person with a monetary penalty if 
the Commissioner is satisfied that - 


(a) there has been a serious contravention of the requirements 
of the Privacy and Electronic Communications (EC 


Directive) Regulations 2003 by the person, 
(b) subsection (2) or (3) applies. 
(2) This subsection applies if the contravention was deliberate. 
(3) This subsection applies if the person - 


(a) knew or ought to have known that there was a risk that the 


contravention would occur, but 


(b) failed to take reasonable steps to prevent the 


contravention.” 


The Commissioner has issued statutory guidance under section 55C (1) 
of the DPA about the issuing of monetary penalties that has been 
published on the ICO’s website. The Data Protection (Monetary 
Penalties) (Maximum Penalty and Notices) Regulations 2010 prescribe 
that the amount of any penalty determined by the Commissioner must 
not exceed £500,000. 


PECR implements Directive 2002/58/EC, and Directive 2009/136/EC 


which amended the earlier Directive. Both the Directive and PECR are 
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“designed to protect the privacy of electronic communications users”: 
Leave.EU & Eldon Insurance Services v Information Commissioner 
[2021] UKUT 26 (AAC) at paragraph 26. The Commissioner seeks to 
interpret and apply PECR in a manner consistent with the purpose of 
the Directive and PECR of ensuring a high level of protection of the 
privacy of individuals, and in particular the protections provided from 
receiving unsolicited direct marketing communications which the 


individual has not consented to receive. 


The provisions of the DPA remain in force for the purposes of PECR 
notwithstanding the introduction of the DPA18: see paragraph 58(1) of 
Schedule 20 to the DPA18. 


Background to the case 


Papa John’s is a pizza company offering both delivery and take-out 
service. It first came to the attention of the Commissioner following a 


number of complaints being received. 


An initial investigation letter was sent to Papa John’s on 21 May 2020 
raising some preliminary concerns with its PECR compliance and 
providing details of the complaints received. The correspondence also 
requested information about the volume of messages sent to 
subscribers, the sources of data for the recipients of those messages 
and any evidence of consent it relied upon to send marketing 
messages. Papa John’s were warned that the Commissioner could issue 


civil monetary penalties of up to £500,000 for PECR breaches. 


In its response of 26 June 2020, Papa John’s provided the total number 
of marketing messages sent between 1 October 2019 and 30 April 


2020. It explained that it only obtains data from its own customers 
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where orders are placed directly with the company. It advised that it 


does not obtain data from any other third-party sources. 


Papa John’s informed the Commissioner that it relied on the soft opt in 
and provided examples of its online consent statements. It also 
provided evidence to show that unsubscribe options are given in every 


e-mail and text message sent. 


In its correspondence Papa John’s advised that following an internal 
review of the complaints received by the Commissioner, there were a 
number where the soft opt in was not available and a text message 
should not have been sent to the customer. It revealed that the 
individuals who had received these messages had placed an order over 
the telephone but were not presented with an option to opt out of 
receiving marketing messages. It explained that their privacy notice 
was displayed in stores, and online, and individuals could access the 
marketing preference centre on its website. It had suspended 
marketing to individuals who have placed an order over the telephone 
pending the outcome of the Commissioners enquiries. Further evidence 
was provided to show opt out messages and screenshots of online 


accounts showing individuals can unsubscribe. 


The Commissioner subsequently requested the total volume of 
messages sent to individuals where their data was obtained over the 
telephone during the relevant period. This was provided although Papa 
John’s were unable to confirm, of the 210,028 marketing messages 
sent, how many had been received by individuals. However, based on 
its success rate on delivery, it advised 168,022 text messages were 


received by individuals. 
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The Commissioner has made the above findings of fact on the 


balance of probabilities. 


The Commissioner has considered whether those facts constitute 
a contravention of regulation 22 of PECR by Papa John’s and, if so, 


whether the conditions of section 55A DPA are satisfied. 
The contravention 


The Commissioner finds that Papa John’s contravened regulation 22 of 
PECR. 


The Commissioner finds that the contravention was as follows: 


The Commissioner finds that between 1 October 2019 to 30 April 2020 
there were 168,022 direct marketing messages received by 
subscribers. The Commissioner finds that Papa John’s transmitted the 


direct marketing messages sent, contrary to regulation 22 of PECR. 


Papa John’s, as the sender of the direct marketing, is required to 
ensure that it is acting in compliance with the requirements of 
regulation 22 of PECR, and to ensure that valid consent to send those 


messages had been acquired. 


Papa John’s collected information for marketing purposes through 
customers who order directly via sales channels in its direct control 
including its website, app and in store. It relies on the ‘soft opt -in’ 
exemption provided by Regulation 22(3) PECR. This exemption means 
that organisations can send marketing messages by text and e-mail to 
individuals whose details had been obtained in the course or 
negotiation of a sale and in respect of similar products and services. 


The organisation must also give the person a simple opportunity to 
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refuse or opt out of the marketing, both when first collecting the details 


and in every message after that. 


Papa John’s informed the Commissioner that for those customers 
ordering over the telephone its privacy notice is made available in store 
and on its website. It is the Commissioners view that those individuals 
would not reasonably expect to receive marketing. As a result, 15 
complaints were received regarding text messages sent by Papa John’s 
during the contravention period in respect of those customers. 


In this instance Papa John’s have been unable to evidence consent. 
From the evidence provided it is clear that the individuals had not, at 
the point their data was collected, been given a simple means of 
refusing the use of their contact details for direct marketing; 
accordingly, Papa John’s direct marketing messages failed to meet the 
criteria of Regulation 22(3)(c) PECR. 


The Commissioner is therefore satisfied from the evidence she has 
seen that Papa John’s did not have the necessary valid consent for the 


168,022 direct marketing messages received by subscribers. 


The Commissioner has gone on to consider whether the conditions 


under section 55A DPA are met. 
Seriousness of the contravention 


The Commissioner is satisfied that the contravention identified 

above was serious. This is because between 1 October 2019 and 30 
April 2020 a confirmed total of 168,022 direct marketing messages 
were sent by Papa John’s. These messages contained direct marketing 


material for which subscribers had not provided adequate consent. 
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The rules for electronic marketing are clear in that organisations must 

present individuals with an opportunity to opt out of marketing at the 

time that their details are collected. Whilst Papa John’s does have 

consent for the majority of marketing messages it sends, it does not 

have consent to send marketing messages to individuals who have 

placed an order over the telephone for delivery. It is unable to rely on 


the soft opt in because those subscribers had not been given a simple 


means of refusing the use of their contact details for direct marketing. 


Papa John’s instead sought to rely upon the assumption that an 
individual could review its privacy notice, in store or on its website, and 
online marketing preference centre. This assumption is unfair as it puts 
the responsibility back on to the individual rather than on to the 
company. Customers may not have visited the company app or website 
to locate the branch telephone number when placing their order, these 
being widely available via online search engines. They may also not 
have visited a store to collect their order. Further, any information 
about any marketing communications should be provided to individuals 
rather than them having to seek it out for themselves. All individuals 
should be given the same choice in respect of these communications, 


regardless of how they choose to place an order with Papa John’s. 


The Commissioner is therefore satisfied that condition (a) from 
section 55A(1) DPA is met. 


Deliberate or negligent contraventions 


The Commissioner has considered whether the contravention identified 
above was deliberate. In the Commissioner’s view, this means that 


Papa John’s actions which constituted that contravention were 
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deliberate actions (even if Papa John’s did not actually intend thereby 


to contravene PECR). 


The Commissioner does not consider that Papa John’s deliberately set 


out to contravene PECR in this instance. 


The Commissioner has gone on to consider whether the contravention 
identified above was negligent. This consideration comprises two 


elements: 


Firstly, she has considered whether Papa John’s knew or ought 
reasonably to have known that there was a risk that these 
contraventions would occur. She is satisfied that this condition is met, 
not least since the issue of unsolicited text messages has been widely 


publicised by the media as being a problem. 


The Commissioner has published detailed guidance for those carrying 
out direct marketing explaining their legal obligations under PECR. 

This guidance gives clear advice regarding the requirements of consent 
for direct marketing and explains the circumstances under which 
organisations are able to carry out marketing over the phone, by text, 
by email, by post, or by fax. In particular it states that organisations 
can generally only send, or instigate, marketing emails to individuals if 
that person has specifically consented to receiving them; and highlights 
the difficulties of relying on indirect consent for email marketing. The 
Commissioner has also published detailed guidance on consent under 
the GDPR. In case organisations remain unclear on their obligations, 
the ICO operates a telephone helpline. ICO communications about 
previous enforcement action where businesses have not complied with 


PECR are also readily available. 
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It is therefore reasonable to suppose that Papa John’s should have 


been aware of its responsibilities in this area. 


Secondly, the Commissioner has gone on to consider whether Papa 
John’s failed to take reasonable steps to prevent the contraventions. 


Again, she is satisfied that this condition is met. 


Such reasonable steps in these circumstances could have included 
putting in place appropriate systems, policies and procedures to ensure 
that it had the consent of all of its customers to whom it had sent 
marketing messages. Whilst it is evident that Papa John’s had policies 
in place to ensure a certain level of compliance its measures failed to 
capture all types of customer and methods of customer contact. In this 
case, a number of customers were not offered adequate means of 
opting out of marketing at the time their details were collected by 


telephone. 


In the circumstances, the Commissioner is satisfied that Papa John’s 


failed to take reasonable steps to prevent the contraventions. 


The Commissioner is therefore satisfied that condition (b) from section 
55A (1) DPA is met. 


The Commissioner's decision to issue a monetary penalty 


The Commissioner has also taken into account the following 


aggravating features of this case: 


The actions of Papa John’s were carried out to generate business and to 
increase profits, gaining an unfair advantage on those businesses 


complying with the PECR; 
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The Commissioner has also taken into account the following mitigating 
feature of this case: 


Papa John’s have advised the Commissioner that it has temporarily 
suspended marketing to individuals placing orders by telephone, but 
otherwise has not yet taken steps to rectify its marketing practices to 
ensure overall compliance with PECR for this method of customer 


contact. 


For the reasons explained above, the Commissioner is satisfied that the 
conditions from section 55A (1) DPA have been met in this case. She is 
also satisfied that the procedural rights under section 55B have been 


complied with. 


The latter has included the issuing of a Notice of Intent, in which the 
Commissioner set out her preliminary thinking. In reaching her final 


view, the Commissioner received no representations from Papa John’s. 


The Commissioner is accordingly entitled to issue a monetary penalty 
in this case. 


The Commissioner has considered whether, in the circumstances, she 


should exercise her discretion so as to issue a monetary penalty. 


The Commissioner has considered the likely impact of a monetary 
penalty on Papa John’s. She has decided on the information that is 
available to her, that Papa John’s has access to sufficient financial 
resources to pay the proposed monetary penalty without causing 
undue financial hardship. 
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The Commissioner’s underlying objective in imposing a monetary 
penalty notice is to promote compliance with PECR. The sending of 
unsolicited marketing emails is a matter of significant public concern. A 
monetary penalty in this case should act as a general encouragement 
towards compliance with the law, or at least as a deterrent against 
non-compliance, on the part of all persons running businesses currently 
engaging in these practices. The issuing of a monetary penalty will 
reinforce the need for businesses to ensure that they are only 


messaging those who specifically consent to receive marketing. 


For these reasons, the Commissioner has decided to issue a monetary 


penalty in this case. 


The amount of the penalty 


Taking into account all of the above, the Commissioner has decided 
that a penalty in the sum of £10,000 (Ten thousand pounds) is 
reasonable and proportionate given the particular facts of the case and 


the underlying objective in imposing the penalty. 
Conclusion 


The monetary penalty must be paid to the Commissioner’s office by 
BACS transfer or cheque by 15 July 2021 at the latest. The monetary 
penalty is not kept by the Commissioner but will be paid into the 
Consolidated Fund which is the Government’s general bank account at 
the Bank of England. 


If the Commissioner receives full payment of the monetary penalty by 
14 July 2021 the Commissioner will reduce the monetary penalty by 
20% to £8,000 (Eight thousand pounds). However, you should be 
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aware that the early payment discount is not available if you decide to 


exercise your right of appeal. 


58. There is a right of appeal to the First-tier Tribunal (Information Rights) 


against: 


(a) the imposition of the monetary penalty 
and/or; 
(b) the amount of the penalty specified in the monetary penalty 


notice. 


59. Any notice of appeal should be received by the Tribunal within 28 days 


of the date of this monetary penalty notice. 
60. Information about appeals is set out in Annex 1. 


61. The Commissioner will not take action to enforce a monetary penalty 


unless: 


e the period specified within the notice within which a monetary 
penalty must be paid has expired and all or any of the monetary 


penalty has not been paid; 


e all relevant appeals against the monetary penalty notice and any 


variation of it have either been decided or withdrawn; and 


e the period for appealing against the monetary penalty and any 


variation of it has expired. 


62. In England, Wales and Northern Ireland, the monetary penalty is 
recoverable by Order of the County Court or the High Court. In 


Scotland, the monetary penalty can be enforced in the same manner as 
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an extract registered decree arbitral bearing a warrant for execution 


issued by the sheriff court of any sheriffdom in Scotland. 


Dated the 14* day of June 2021 


Andy Curry 

Head of Investigations 
Information Commissioner’s Office 
Wycliffe House 

Water Lane 

Wilmslow 

Cheshire 

SK9 5AF 
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ANNEX 1 
SECTION 55 A-E OF THE DATA PROTECTION ACT 1998 
RIGHTS OF APPEAL AGAINST DECISIONS OF THE COMMISSIONER 


1. Section 55B(5) of the Data Protection Act 1998 gives any person 
upon whom a monetary penalty notice has been served a right of 
appeal to the First-tier Tribunal (Information Rights) (the ‘Tribunal’) 


against the notice. 
2. If you decide to appeal and if the Tribunal considers: - 


a) that the notice against which the appeal is brought is not in 


accordance with the law; or 


b) to the extent that the notice involved an exercise of 
discretion by the Commissioner, that she ought to have exercised 


her discretion differently, 


the Tribunal will allow the appeal or substitute such other decision as 
could have been made by the Commissioner. In any other case the 


Tribunal will dismiss the appeal. 


3. You may bring an appeal by serving a notice of appeal on the 


Tribunal at the following address: 


General Regulatory Chamber 
HM Courts & Tribunals Service 
PO Box 9300 

Leicester 

LEi 8DJ 
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Telephone: 0203 936 8963 
Email: grc@justice.gov.uk 


a) The notice of appeal should be sent so it is received by the 


Tribunal within 28 days of the date of the notice. 

b) If your notice of appeal is late the Tribunal will not admit it 
unless the Tribunal has extended the time for complying with this 
rule. 


The notice of appeal should state:- 


a) your name and address/name and address of your 


representative (if any); 


b) an address where documents may be sent or delivered to 


you; 

c) the name and address of the Information Commissioner; 
d) details of the decision to which the proceedings relate; 
e) the result that you are seeking; 

f) the grounds on which you rely; 


g) you must provide with the notice of appeal a copy of the 


monetary penalty notice or variation notice; 


h) if you have exceeded the time limit mentioned above the 


notice of appeal must include a request for an extension of time 
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and the reason why the notice of appeal was not provided in 


time. 


5: Before deciding whether or not to appeal you may wish to consult 
your solicitor or another adviser. At the hearing of an appeal a party 
may conduct his case himself or may be represented by any person 


whom he may appoint for that purpose. 


6. The statutory provisions concerning appeals to the First-tier 
Tribunal (Information Rights) are contained in section 55B(5) of, and 
Schedule 6 to, the Data Protection Act 1998, and Tribunal Procedure 
(First-tier Tribunal) (General Regulatory Chamber) Rules 2009 
(Statutory Instrument 2009 No. 1976 (L.20)). 


